Keep its value secret just like you would a password. Each time the token is used to make a request, it will be made on your behalf. You can also reset your token from your settings page if you think it has been compromised.
We have no idea what type of adoption there may be yet. For that reason, there is no obvious mechanism to switch plans.
If you feel you need to change plan to allow more queries or access other endpoints, just contact Frank on whichever social platform. Together we can figure out something that will work out for you.
Your JWT must be passed as an Authorization header using the Bearer schema to all requests made to the API. The content of the header should look like the following:
Authorization: Bearer <token>
The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
For instance here's how you could query artists using curl: